Yama: verify inode is symlink to avoid bind mounts
in [Kernel]
|
Prev: Regression: 2.6.34 boot fails on E5405 system, bisected: de08e2c26
Next: x86: Fix vtime/file timestamp inconsistencies
From: Serge E. Hallyn on 13 Jul 2010 22:30 Quoting Kees Cook (kees.cook(a)canonical.com): > The inode_follow_link LSM hook is called in bind mount situations as > well as for symlink situations, so we must explicitly check for the > inode being a symlink to not reject bind mounts in 1777 directories, Are you sure about that?? If that's true, you might also expand the comment in include/linux/security.h. > which seems to be a common NFSv4 configuration. > > Signed-off-by: Kees Cook <kees.cook(a)canonical.com> > --- > security/yama/yama_lsm.c | 4 ++++ > 1 files changed, 4 insertions(+), 0 deletions(-) > > diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c > index 3b76386..c70eb10 100644 > --- a/security/yama/yama_lsm.c > +++ b/security/yama/yama_lsm.c > @@ -116,6 +116,10 @@ static int yama_inode_follow_link(struct dentry *dentry, > if (!protected_sticky_symlinks) > return 0; > > + /* if inode isn't a symlink, don't try to evaluate blocking it */ > + if (!S_ISLNK(inode->i_mode)) > + return 0; > + > /* owner and follower match? */ > cred = current_cred(); > inode = dentry->d_inode; > -- > 1.7.1 > > > -- > Kees Cook > Ubuntu Security Team > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo(a)vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Kees Cook on 14 Jul 2010 02:20 On Tue, Jul 13, 2010 at 03:30:21PM -0700, Kees Cook wrote: > The inode_follow_link LSM hook is called in bind mount situations as > well as for symlink situations, so we must explicitly check for the > inode being a symlink to not reject bind mounts in 1777 directories, > which seems to be a common NFSv4 configuration. > > Signed-off-by: Kees Cook <kees.cook(a)canonical.com> > --- > security/yama/yama_lsm.c | 4 ++++ > 1 files changed, 4 insertions(+), 0 deletions(-) > > diff --git a/security/yama/yama_lsm.c b/security/yama/yama_lsm.c > index 3b76386..c70eb10 100644 > --- a/security/yama/yama_lsm.c > +++ b/security/yama/yama_lsm.c > @@ -116,6 +116,10 @@ static int yama_inode_follow_link(struct dentry *dentry, > if (!protected_sticky_symlinks) > return 0; > > + /* if inode isn't a symlink, don't try to evaluate blocking it */ > + if (!S_ISLNK(inode->i_mode)) > + return 0; > + > /* owner and follower match? */ > cred = current_cred(); > inode = dentry->d_inode; Erg, please ignore this -- I tested a slightly different version of this patch. This version doesn't have inode set yet. I will follow up with the correct one in a moment... -Kees -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Kees Cook on 14 Jul 2010 03:00 On Tue, Jul 13, 2010 at 09:30:48PM -0500, Serge E. Hallyn wrote: > Quoting Kees Cook (kees.cook(a)canonical.com): > > The inode_follow_link LSM hook is called in bind mount situations as > > well as for symlink situations, so we must explicitly check for the > > inode being a symlink to not reject bind mounts in 1777 directories, > > Are you sure about that?? > > If that's true, you might also expand the comment in > include/linux/security.h. > > > which seems to be a common NFSv4 configuration. Well, the issue is how the NFSv4 client deals with it. It seems to treat the mounts from the NFSv4 root as a symlink when the server is using bind mounts. It's kind of weird: https://launchpad.net/bugs/604407 -- Kees Cook Ubuntu Security Team -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: James Morris on 20 Jul 2010 19:10
On Tue, 13 Jul 2010, Kees Cook wrote: > The inode_follow_link LSM hook is called in bind mount situations as > well as for symlink situations, so we must explicitly check for the > inode being a symlink to not reject bind mounts in 1777 directories, > which seems to be a common NFSv4 configuration. > > Signed-off-by: Kees Cook <kees.cook(a)canonical.com> > --- > v2: > - actually set inode in time to use it. *face palm* Applied to git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next -- James Morris <jmorris(a)namei.org> -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |